US12506757B2ActiveUtilityA1

Anomaly detection using collaborative filtering

83
Assignee: IBMPriority: Jan 27, 2023Filed: Jan 27, 2023Granted: Dec 23, 2025
Est. expiryJan 27, 2043(~16.6 yrs left)· nominal 20-yr term from priority
H04L 63/1425
83
PatentIndex Score
1
Cited by
26
References
19
Claims

Abstract

Described are techniques for network anomaly detection. The techniques include generating, from network traffic, a plurality of network interactions, where respective network interactions comprise a communication source and a communication destination. The techniques further include generating, for the respective network interactions, a recommendation score using a trained Collaborative Filtering (CF) model. The techniques further include calculating, for the respective network interactions, an outlier score based on the recommendation score. The techniques further include generating a notification identifying an anomaly in the network traffic based on at least one outlier score satisfying a threshold.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method comprising:
 generating, from network traffic, a plurality of network interactions, wherein respective network interactions comprise a communication source, a communication destination, and a metric associated with the communication source and the communication destination;   generating, for the respective network interactions, a recommendation score using a trained Collaborative Filtering (CF) model;   calculating, for the respective network interactions, an outlier score, wherein the outlier score comprises a normalized difference that is determined by taking an absolute value of a difference between the recommendation score and the metric and dividing by a maximal rating;   generating a notification identifying an anomaly in the network traffic based on at least one outlier score satisfying a threshold; and   automatically performing a cybersecurity mitigation action on one or more network components based on the anomaly.   
     
     
         2 . The method of  claim 1 , wherein the metric comprises an amount of data exchanged between the communication source and the communication destination. 
     
     
         3 . The method of  claim 1 , wherein the metric comprises a recency of data exchanged between the communication source and the communication destination. 
     
     
         4 . The method of  claim 1 , wherein the metric comprises a frequency of interaction between the communication source and the communication destination. 
     
     
         5 . The method of  claim 1 , wherein a relatively stronger recommendation score generates a relatively less anomalous outlier score, and wherein a relatively weaker recommendation score generates a relatively more anomalous outlier score. 
     
     
         6 . The method of  claim 1 , wherein the communication source comprises an Internet Protocol (IP) address. 
     
     
         7 . The method of  claim 1 , wherein the communication source comprises a Media Access Control (MAC) address. 
     
     
         8 . The method of  claim 1 , wherein the communication source comprises a host name. 
     
     
         9 . The method of  claim 1 , wherein the communication source comprises a username. 
     
     
         10 . The method of  claim 1 , wherein the communication source comprises a dynamic Internet Protocol (IP) range. 
     
     
         11 . The method of  claim 1 , wherein the communication source comprises a network name. 
     
     
         12 . The method of  claim 1 , wherein the communication source comprises a container identifier. 
     
     
         13 . The method of  claim 1 , wherein the communication source comprises, for respective network interactions, at least one Internet Protocol (IP) address, at least one Media Access Control (MAC) address, at least one host name, at least one username, at least one dynamic Internet Protocol (IP) range, at least one network name, and at least one container identifier. 
     
     
         14 . The method of  claim 1 , wherein the communication destination is an application identifier. 
     
     
         15 . The method of  claim 1 , wherein the method is performed by a server implementing network anomaly detection code, and wherein the method further comprises:
 metering usage of the network anomaly detection code; and   generating an invoice based on metering the usage of the network anomaly detection code.   
     
     
         16 . The method of  claim 1 , wherein the communication destination is a destination port. 
     
     
         17 . The method of  claim 1 , wherein the cybersecurity mitigation action comprises adjusting a bandwidth Quality of Service characteristic of the one or more network components. 
     
     
         18 . A system comprising:
 one or more computer readable storage media storing program instructions; and   one or more processors which, in response to executing the program instructions, are configured to perform a method comprising:   generating, from network traffic, a plurality of network interactions, wherein respective network interactions comprise a communication source, a communication destination, and a metric associated with the communication source and the communication destination;   generating, for the respective network interactions, a recommendation score using a trained Collaborative Filtering (CF) model;   calculating, for the respective network interactions, an outlier score, wherein the outlier score comprises a normalized difference that is determined by taking an absolute value of a difference between the recommendation score and the metric and dividing by a maximal rating;   generating a notification identifying an anomaly in the network traffic based on at least one outlier score satisfying a threshold; and   automatically performing a cybersecurity mitigation action on one or more network components based on the anomaly.   
     
     
         19 . A computer program product comprising one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media, the program instructions comprising instructions configured to cause one or more processors to perform a method comprising:
 generating, from network traffic, a plurality of network interactions, wherein respective network interactions comprise a communication source, a communication destination, and a metric associated with the communication source and the communication destination;   generating, for the respective network interactions, a recommendation score using a trained Collaborative Filtering (CF) model;   calculating, for the respective network interactions, an outlier score, wherein the outlier score comprises a normalized difference that is determined by taking an absolute value of a difference between the recommendation score and the metric and dividing by a maximal rating;   generating a notification identifying an anomaly in the network traffic based on at least one outlier score satisfying a threshold; and   automatically performing a cybersecurity mitigation action on one or more network components based on the anomaly.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.